Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Atish Patra" <atish.patra@linux.dev>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v3 3/4] crypto: ccp: Fix possible deadlock in SEV init failure path
Date: Tue, 02 Jun 2026 23:07:57 +0000	[thread overview]
Message-ID: <20260602230757.8F2371F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260602-sev_snp_fixes-v3-3-24bfd3ae047c@meta.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [High] Failure in `rmp_mark_pages_firmware()` causes `__snp_alloc_firmware_pages()` to leak memory and return NULL, leading to a cascade invalid pointer dereference.
- [High] Bounce buffers and firmware-owned pages are permanently leaked when legacy command buffer mapping or preparation fails.
- [High] Command buffer active state flags are leaked on error paths, leading to permanent `-EBUSY` exhaustion for all SEV firmware commands.
--

commit 1310cc2bc448794800c5bf6fa91a6d1bce53eafb
Author: Atish Patra <atishp@meta.com>

crypto: ccp: Fix possible deadlock in SEV init failure path
    
__sev_platform_init_handle_init_ex_path() calls
rmp_mark_pages_firmware() with locked=false while the parent
function of init_ex_path already acquired the sev_cmd_mutex.
In the case of an RMPUPDATE failure for any page after the first, the cleanup
path would invoke reclaim pages which would result in a deadlock in
sev_do_cmd.

> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index d1e9e0ac63b60..3d4793e8e34b2 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -1557,7 +1557,7 @@ static int __sev_platform_init_handle_init_ex_path(struct sev_device *sev)
>  		unsigned long npages;
>  
>  		npages = 1UL << get_order(NV_LENGTH);
> -		if (rmp_mark_pages_firmware(__pa(sev_init_ex_buffer), npages, false)) {
> +		if (rmp_mark_pages_firmware(__pa(sev_init_ex_buffer), npages, true)) {
>  			dev_err(sev->dev, "SEV: INIT_EX NV memory page state change failed.\n");
>  			return -ENOMEM;
>  		}

[Severity: High]
This is a pre-existing issue, but does __snp_alloc_firmware_pages() leak memory
and return NULL if rmp_mark_pages_firmware() fails?

drivers/crypto/ccp/sev-dev.c:__snp_alloc_firmware_pages()
		if (rmp_mark_pages_firmware(paddr, npages, locked))
			return NULL;

The function appears to return NULL without freeing the allocated page.

Additionally, in __sev_snp_init_locked(), the result of this function is
passed directly to page_address():

drivers/crypto/ccp/sev-dev.c:__sev_snp_init_locked()
		void *tio_status = page_address(__snp_alloc_firmware_pages(
			GFP_KERNEL_ACCOUNT | __GFP_ZERO, 0, true));

		if (tio_status) {
			sev_tsm_init_locked(sev, tio_status);

Since page_address() applies pointer arithmetic, passing NULL to it results
in a non-NULL invalid virtual address. This bypasses the subsequent
if (tio_status) check, causing a crash upon dereference in
sev_tsm_init_locked(). Can we add a check for the NULL return value before
calling page_address() and ensure the memory is freed on failure?

[Severity: High]
This isn't a bug introduced by this patch, but are bounce buffers and
firmware-owned pages permanently leaked when legacy command buffer mapping or
preparation fails?

In snp_map_cmd_buf_desc():
	if (rmp_mark_pages_firmware(*desc->paddr_ptr, npages, true)) {
		pr_warn("Error moving pages to firmware-owned state for SEV legacy command.\n");
		return -EFAULT;
	}

The function returns without calling __free_pages() for the allocated bounce
buffer.

Also, in snp_map_cmd_buf_desc_list():
err_unmap:
	for (i--; i >= 0; i--)
		snp_unmap_cmd_buf_desc(&desc_list[i]);

The error unmap loop decrements i before unmapping, skipping the descriptor
that just failed and leaking its buffer.

Furthermore, in snp_prep_cmd_buf():
		if (rmp_mark_pages_firmware(__pa(cmd_buf), 1, true))
			return -EFAULT;

If this fails, the function returns -EFAULT immediately without calling
snp_unmap_cmd_buf_desc_list(). All previously mapped descriptor pages remain
permanently locked in the firmware-owned state, and their bounce buffers are
leaked.

[Severity: High]
This is a pre-existing issue, but could command buffer active state flags leak
on error paths in __sev_do_cmd_locked()?

drivers/crypto/ccp/sev-dev.c:__sev_do_cmd_locked()
		ret = snp_prep_cmd_buf(cmd, cmd_buf, desc_list);
		if (ret) {
			dev_err(sev->dev,
				"SEV: failed to prepare buffer for legacy command 0x%x. Error: %d\n",
				cmd, ret);
			return ret;
		}

If snp_prep_cmd_buf() fails, the function returns immediately without rolling
back the cmd_buf_active and cmd_buf_backup_active lock tracking variables.

After two such failures, both command buffer slots could be permanently
marked as active, leading to all future firmware commands failing with -EBUSY.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260602-sev_snp_fixes-v3-0-24bfd3ae047c@meta.com?part=3

  reply	other threads:[~2026-06-02 23:07 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-02 22:36 [PATCH v3 0/4] KVM: Miscellaneous SEV/SNP related fixes Atish Patra
2026-06-02 22:36 ` [PATCH v3 1/4] KVM: SEV: Do not allow intra-host migration/mirroring of SNP VMs Atish Patra
2026-06-02 22:36 ` [PATCH v3 2/4] KVM: selftests: Verify SNP VMs are rejected from migration and mirroring Atish Patra
2026-06-02 22:36 ` [PATCH v3 3/4] crypto: ccp: Fix possible deadlock in SEV init failure path Atish Patra
2026-06-02 23:07   ` sashiko-bot [this message]
2026-07-03  6:18   ` Herbert Xu
2026-07-06 18:09     ` Sean Christopherson
2026-07-07 13:20       ` Herbert Xu
2026-06-02 22:36 ` [PATCH v3 4/4] crypto: ccp: Fix memory leak in SEV INIT_EX path Atish Patra
2026-07-03  6:19   ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260602230757.8F2371F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atish.patra@linux.dev \
    --cc=kvm@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox